Is our Exchange Server compromised?

Hello - I'm back to work to try to get our in house email working again now that I have some free time on my hands (it stopped working since we switched from ISA to a sonicwall). The first thing I have done is to turn on logging for SMTP to try and diagnose the problem. I can clearly see my test messages attempting to be sent out, even though they aren't making it.

HOWEVER...

While perusing through the logs, I noticed one entry set that looked bizarre compared to the rest. Please see the code snippet.

It looks as if someone is using our server to send email? I did a trace route and found the IP to reside somewhere in Taiwan!

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

www.mxtoolbox.com to test your setup. Put the your ISP IP into the box and see what it tells you.
If you have an Open Relay warning, rerun the CEICW --> SBS Console --> To Do --> Connect to the Internet.
What did you do to uninstall ISA? Did you also remove the second NIC?
Philip

0

R1AndyAuthor Commented: 2008-11-19

Yes, I disabled one of the NIC's. mxtoolbox.com does not yeild any helpful information regarding the MX records:

Doing resolver lookup for T=MX domain=``rain1.com''
Questionable: NO MX DATA: domain=``rain1.com'' We SIMULATE!
Do have at least one MX entry added!

Testing MX server: rain1.com

Address lookup did yield following ones:

IPv4 67.15.32.226

Testing server at address: IPv4 67.15.32.226

ERROR: Connect failure reason: Connection refused

(Still possibly all OK!)

--------------

I would like to get this issue resolved, but shouldn't I be more worried whether or not an intruder is using our server for malicious purposes?

0

R1AndyAuthor Commented: 2008-11-20

Update: I have godaddy forcing the MX records which should update within 24 hours. I will test again then. However, I am still getting unusual log entries in the SMTP logs. Can anyone please tell me why it looks like our server is being used to relay mail?

When you used the www.mxtoolbox.com utility, did you do an RBL check? That is, verifying your server's IP against any existing black lists?
Philip

0

R1AndyAuthor Commented: 2008-11-24

I just tried and it didn't say either way. The screen refreshed, but there was no status text. Maybe it's down, I'll try again later.

0

R1AndyAuthor Commented: 2008-11-25

OK, godaddy.com fixed the MX record and the emails are sending/receiving correctly. So that just leaves my original question about whether or not our server has been compromised?

0

R1AndyAuthor Commented: 2008-12-02

<BUMP> Now that our email is fully working again, I am seeing a lot of stuff in the SMTP logs that looks like it is not coming from anyone in our office (or too anyone). Infact, I also saw a log entry that had david@rain1.com which we don't have either (we have a dave@rain1.com though).

Due to the lack of response, I am going to assume one of two things:

1) The answer is too obvious, and I am stupid for asking

or

2) The experts at Experts Exchange have no clue?

Anyone, please a response would be greatly appreciated. I'm not stingy with points ;)

Thanks for the response Philip! :) I'm not sure that is exactly what we are experiencing as we have no "Bad Emails" in the exchange server folder that are waiting to be sent, nor NDR reports filling up the Exchange que. It just looks as if someone is using our server to send and possibly receive emails.

Is this possible? Or is the code I pasted just stating an attempt to deliver to an email that is not hosted on our server?